Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan."— Presentation transcript:

1 Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan.

2 Security vulnerabilities Lazy programmers Bad programmers BIND, Sendmail, WU-FTP Buffer overflows Format string attacks Integer overflows Race conditions Command injection …

3 Parameters Return address Stack Frame Pointer Local variables SP Stack Growth Simple buffer overflow

4 Code on a server (written by a lazy programmer): void func(char *str) { char buf[128]; strcpy(buf, str); do-something(buf); } When the function is invoked the stack looks like: What if *str is 136 bytes long? After strcpy() : strret-addrsfpbuf top of stack str top of stack *str ret Simple buffer overflow

5 str top of stack *str ret execl(“/sbin/eject”); 31 c0 b0 3f cd 80 31 db 89 d9 b1 02 31 c0 b0 3f cd 80 eb 1f 5e 89 76 08 31 c0 88 46 07 89 46 0c b0 0b 89 f3 8d 4e 08 8d 56 0c cd 80 31 db 89 d8 40 cd 80 e8 dc ff ff ff /sbin/eject Simple buffer overflow

6 Worms 11/1988 … Cornell grad student Robert Morris writes the Internet Worm

7 Worms 11/1988 … 07/2001 09/2001 01/2003 08/2003 05/2004 08/2005 Cornell grad student Robert Morris writes the Internet Worm CodeRed – MS IIS Nimda – MS IIS+email Slammer – MS SQL Blaster – MS Win RPC Sasser – MS Win LSASS Zotob – MS Win Plug-n-Play (more to come)

8 Worms 07/2001 01/2003 08/2003 CodeRed – MS IIS Slammer – MS SQL Blaster – MS Win RPC 360,000 75,000 500,000 37m 8.5s 37m Infected 2x

9 Vigilante Automates worm defense Run heavily instrumented versions of software on detector machines Uses collaborative infrastructure to detect worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham

10 Overview SCA: Self-Certifying Alert

11 Dynamic dataflow analysis Dirty data loaded into PCExecution control vuln. Dirty data to be executedCode execution vuln. Critical fn. argument dirtyFunction argument vuln. Specific to C/C++ vulnerabilities E-mail? Format string attacks?

12 SCA generation str top of stack buf sfp ret-addr

13 SCA generation str top of stack *str ret DIRTY %eax %ebx … %eip %esp

14 SCA generation str top of stack *str ret DIRTY %eax %ebx … %eip %esp

15 SCA generation str top of stack *str ret DIRTY %eax %ebx … %eip %esp AHA!

16 SCA generation Execution control SCA Address of code to execute is contained at this offset within the message Example: The Slammer Worm

17 SCA verification Hosts run same software with identical configuration within sandbox Replace code/address in SCA with a call to verified() No trust required Fast, simple and generic verification No false positives Assumes address/code/argument is supplied verbatim in messages Assumes message replay suffices for exploit reproduction

18 SCA distribution Flooding over secure Pastry overlay Denial-of-Service attacks? (DoS) Don’t forward already blocked SCAs Forward only after verification Rate-limit SCAs from each neighbor Use super-peers so worms can’t learn the topology

19 Local response Verify SCA Data and Control Flow Analysis Generate filters – conjunctions of conditions on single messages Two levels: General filter with false positives Specific filter with no false positives

20 SCA Generation TimeSCA Sizes Evaluation: SCA generation

21 SCA Verification TimeFilter generation Evaluation: SCA verification Verification is fast. The sandbox VM is always running.

22 Simulation on real worms Simulate worm epidemic on 500,000 nodes, 1000 super-peers Includes worm-induced congestion DoS: Each host sends fake SCAs to all neighbors

23 Internet Dangers

24 Honeypots Scalability Fidelity Containment “A honeypot is a network-connected system that is carefully monitored so that intrusions can be easily detected and precisely analyzed.”

25 Honeypots Low interaction High scaling Low fidelity High interaction Low scaling High fidelity Containment means that compromised honeypots should not be able to attack third-party systems. A honeyfarm is a set of honeypots.

26 Potemkin Honeyfarm “Dynamically bind physical resources to external requests only for the short periods of time necessary to emulate the execution behavior of dedicated hosts.” Potemkin: a honeyfarm system that exploits: Virtual machines Aggressive memory sharing Late binding of resources Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage

27 Potemkin Honeyfarm Potemkin Catherine II

28 Potemkin Honeyfarm “Dynamically bind physical resources to external requests only for the short periods of time necessary to emulate the execution behavior of dedicated hosts.” Potemkin: a honeyfarm system that exploits: Virtual machines Aggressive memory sharing Late binding of resources

29 Potemkin Architecture Virtual Machine Monitors (VMMs) Easy to manage. Physical resources not a major restriction. Each IP address spawns a new VM. Problem: Expensive Observation : Targets are homogenous Solution: clone a VM from a reference image, change IP (etc.), accept packets.

30 Flash Cloning

31 Delta Virtualization

32

33

34 Potemkin Architecture What if VMs are compromised? Gateway router policy: Isolate the HoneyFarm, only send outgoing packets in response to incoming ones. Other packets are internally reflected. Infections spread within HoneyFarm. Universal identifier captures causal relationship of communication. Directs incoming traffic, contains outgoing traffic, resource management, user interface

35 Evaluation Port-scan

36 Evaluation: Scan filter

37 Food for thought How can HoneyFarms attract traffic? HoneyPot detection DoS attacks

38 Questions?

39

Download ppt "Vigilante and Potemkin Presenter: Ýmir Vigfússon Based in part on slide sets from Mahesh Balakrishnan and Raghavan Srinivasan."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Michael Bailey*, Evan Cooke*, Farnam Jahanian* †, Jose Nazario †, David Watson* Presenter:

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Michael Bailey*, Evan Cooke*, Farnam Jahanian* †, Jose Nazario †, David Watson* Presenter:
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
SCSC 555 Computer Security Chapter 10 Malicious software Part B.

SCSC 555 Computer Security Chapter 10 Malicious software Part B.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Ken Birman. Virtualization as a Defense We know that our systems are under attack by all sorts of threats Can we use virtual machines as a defensive tool?

Ken Birman. Virtualization as a Defense We know that our systems are under attack by all sorts of threats Can we use virtual machines as a defensive tool?
Vigilante: End-to-End Containment of Internet Worms Paper by: Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron, Lidong Zhou, Lintao Zhang, Paul.

Vigilante: End-to-End Containment of Internet Worms Paper by: Manuel Costa, Jon Crowcroft, Miguel Castro, Ant Rowstron, Lidong Zhou, Lintao Zhang, Paul.
Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).

Stopping Worm/Virus Attacks Chiu Wah So (Kelvin).
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.

Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.

Similar presentations

Ads by Google